[LRUG] OpenSSL CSR Generation - Challenge Passhrase

Theo Cushion theo at jivatechnology.com
Mon Jun 25 09:11:31 PDT 2012


The chef gem has some nice examples of using the OpenSSL library:

https://github.com/opscode/chef/blob/master/chef/lib/chef/certificate.rb

Might shed some light on how to do it.

Cheers

Theo

On 25 Jun 2012, at 16:59, Jared Patterson wrote:

> Hey All,
> 
> Im working on building a API to handle certificate requests against a SCEP API on a PKI Product, and I need to be able to generate CSR's, which include a challenge passphrase, however I am struggling to see how this is done in ruby, nor does the docs for openssl show how this is possible. Usually using the openssl command directly, you would do something like:
> 
> # openssl req -new -nodes -keyout myserver.key -out server.csr -newkey rsa:2048
> 
> Which would request the following:
> 
> 
> ---------  
>        Country Name (2 letter code) [US]: US
>        State or Province Name (full name) []: Texas
>        Locality Name (eg, city) []: Houston
>        Organization Name (eg, company) []: Your Company Inc
>        Organizational Unit Name (eg, section) []: Your Department
>        Common Name (eg, YOUR name) []: secure.yourcompanyname.com
>        Email Address []:
> 
> Please enter the following 'extra' attributes to be sent with your certificate request
> 
>        A challenge password []: 
>        An optional company name []:
> ---------
> 
> In ruby, I am doing the following:
> 
> ---------
> 
> 
> def gen_key(name)
> 
>   begin
> 
>     key = OpenSSL::PKey::RSA.new 2048
> 
>     file = File.new(name, "w")
> 
>     file.write(key)
> 
>     file.close
> 
>   rescue => e
> 
>     print "Error, something went wrong while generating the private key file?"
> 
>     print "Exception: #{e.message}" 
> 
>   end
> 
> end
> 
> new_key = gen_key("jared.test.com")
> 
> def get_key(name)
> 
>   OpenSSL::PKey::RSA.new File.open(name)
> 
> end
> 
> 
> key = get_key("jared.test.com")
> cn = "jared.test.com")
> 
> def gen_csr(key, cn)
> 
>   options = { 
> 
> 
>   
> 
> 
>   :country      => 'GB',
> 
>   :state        => 'London',
> 
>   :city         => 'London',
> 
>   :organization => 'Betfair',
> 
>   :department   => 'IS', 
> 
>   :common_name  => '#{cn}',
> 
>   :email        => 'jared.patterson at betfair.com'
> 
> 
>   
> 
> 
>   }
> 
> 
> 
> 
>   request = OpenSSL::X509::Request.new
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
>   request.version = 0 
> 
>   request.subject = OpenSSL::X509::Name.new([
> 
>   ['C',             options[:country], OpenSSL::ASN1::PRINTABLESTRING],
> 
>   ['ST',            options[:state],        OpenSSL::ASN1::PRINTABLESTRING],
> 
>   ['L',             options[:city],         OpenSSL::ASN1::PRINTABLESTRING],
> 
>   ['O',             options[:organization], OpenSSL::ASN1::UTF8STRING],
> 
>   ['OU',            options[:department],   OpenSSL::ASN1::UTF8STRING],
> 
>   ['CN',            options[:common_name],  OpenSSL::ASN1::UTF8STRING],
> 
>   ['emailAddress',  options[:email],        OpenSSL::ASN1::UTF8STRING]
> 
> 
>   
> 
> 
>   ])  
> 
>   request.public_key = key.public_key
> 
>   request.sign(key, OpenSSL::Digest::SHA1.new)
> 
> end
> 
> my_csr = gen_csr(key, cn)
> 
> ---------
> 
> However I don’t understand how I can add the challenge passphrase to the CSR, i'm guessing this is some sort of additional attribute added to the request, does anyone know how this is done, can supply me with an example?
> 
> 
> 
> 
> Cheers,
> 
> Jared Patterson
> Senior Linux Application Engineer
> IS Platform and Enterprise – Product Delivery
>  
> Office: +44 (0) 20 8834 6506
> Yahoo IM: patterson.jared84
> 
> 
> 
> Betfair. The World’s Biggest Betting Community.
> 
> Please consider the environment before printing this e-mail.
> Betfair Limited | Winslow Road | Hammersmith Embankment | London | W6 9HP. Registered in England and Wales under company number 5140986.
> 
> 
> 
> 
> ________________________________________________________________________
> In order to protect our email recipients, Betfair Group use SkyScan from 
> MessageLabs to scan all Incoming and Outgoing mail for viruses.
> 
> ________________________________________________________________________
> _______________________________________________
> Chat mailing list
> Chat at lists.lrug.org
> http://lists.lrug.org/listinfo.cgi/chat-lrug.org

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lrug.org/pipermail/chat-lrug.org/attachments/20120625/ea3e67d3/attachment.html>


More information about the Chat mailing list